It has been well-studied, documented, and reported that our greatest concern with regard to acceptance of and migration to cloud computing is security. In 2014’s “The Future of Cloud Computing” Survey, 49 percent of respondents cited security as an inhibitor to cloud adoption. And, trailing not far behind on the scale of inhibitors are privacy and regulatory compliance, with over 30 percent each.
Nonetheless, the cloud is an integral and strategic innovation that fuels new business and provides competitive advantage. In contrast to the inhibitors, the drivers for cloud adoption include agility, cost-effectiveness, scalability, and shifting CapEx to OpEx. Goldman Sachs reports that 27 percent of those moving workloads to the cloud are motivated to do so because it will help them lower capital expenditures.
And so, IT leaders are left with a conundrum: shun the cloud because of concerns around security, privacy, and compliance, or accept the cloud as the next frontier and take the proper precautions when stepping into the future.
Cloud Security Precautions to Consider
To combat the security, privacy, and compliance concerns, best practices include secured infrastructure (firewalls, etc.), employee training, and encrypting data. Cloud encryption protects sensitive data in case there is a breach. With proper encryption, even if the cloud is breached, data is rendered unreadable and unusable.
Unless, of course, hackers can get the encryption keys; with the keys in their possession, they can easily access even the encrypted data.
To stay a step ahead of hackers is to think like a hacker. How will hackers get your encryption keys?
A Hacker’s List of Security Holes
Achieving Compliance, Privacy, and Security in the Cloud
Hackers have ways of penetrating security perimeters. They can easily access encryption keys stored in the cloud and use them to decrypt sensitive data. This avails your company to breaches, bad PR, and financial as well as bureaucratic responsibilities (just ask former Target (News - Alert) CIO, Beth Jacobs). Hackers can also infiltrate employees of cloud providers (or of the company they are targeting) who have access to the encryption keys stored there. Earlier this year, Coke reported a data breach where a former worker stole several company laptops that locally stored employee information, such as social security and driver’s license numbers.
Some companies take security to the highest level by splitting their encryption key into two parts: one kept with them at all times. Since both parts are needed to decrypt data, compromising these companies is an impossible mission. Furthermore, they often also protect their keys with homomorphic key management, which encrypts the key itself while it is in use. Due to this, their keys become inaccessible – hackers cannot get them while they are in use nor while they are stored. When coming across companies that use these precautions, it is best to move on to easier targets.
To truly achieve the required compliance, privacy, and security in the cloud, the bottom line is that all data must be properly encrypted and encryption keys can never be trusted to anyone. By owning the keys, you own the data. The best practice of benefitting from the cloud while maintaining ownership of encryption keys is through software-defined innovations like split-key encryption and homomorphic key management.